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Abstract. To prove liveness properties of concurrent systems, it is of¬ 
ten necessary to postulate progress, fairness and justness properties. 
This paper investigates how the necessary progress, fairness and just¬ 
ness assumptions can be added to or incorporated in a standard process- 
algebraic specification formalism. We propose a formalisation that can 
be applied to a wide range of process algebras. The presented formalism 
is used to reason about route discovery and packet delivery in the setting 
of wireless networks. 


1 Introduction 

In a process-algebraic setting, safety properties of concurrent systems are usu¬ 
ally shown by the use of invariants on a labelled transition system (LTS). This 
does not require any assumptions about the behaviour of concurrent systems 
beyond their modelling as states in an LTS. In order to prove liveness properties 
on the other hand it is usually necessary to postulate certain progress, fairness 
and justness properties as part of the specification of the systems under investi¬ 
gation. This paper investigates how the necessary progress, fairness and justness 
properties can be added to or incorporated in a standard process-algebraic spec¬ 
ification formalism. Liveness properties are formalised in terms of a temporal 
logic interpreted on complete paths in the LTS of the process algebra. Progress, 
fairness and justness properties are captured by fine-tuning the definition of what 
constitutes a complete path. 

Section [2] introduces an Algebra of Broadcast Communication (ABC)—a 
variant of the process algebra CBS [20]—that is essentially CCS m augmented 
with a formalism for broadcast communication. ABC is given a structural opera¬ 
tional semantics [18] that interprets expressions as states in an LTS. We develop 
our approach for formalising liveness properties as well as progress, fairness and 
justness assumptions in terms of this process algebra. However, the presented 
approach can be applied to a wide range of process algebras. ABC is largely 
designed to be a convenient starting point for transferring the presented theory 
to such algebras; it contains all the features for which we are aware that the 
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application of our theory poses non-trivial problems, and, at the same time, is 
kept as simple as possible. In j§j we apply the same approach to a more involved 
process algebra called AWN (Algebra for Wireless Networks). 

Section [3] recalls Linear-time Temporal Logic (LTL) [19] and describes a way 
to interpret it on a labelled transition system that arises as the semantic inter¬ 
pretation of a process algebra like ABC. This yields a way to represent desirable 
properties of concurrent systems specified in such a process algebra by means 
of LTL properties. We illustrate this by formulating packet delivery , a liveness 
property studied in Uj in the context of wireless mesh network protocols. The 
presented development applies just as well to desirable properties of concurrent 
systems specified in branching time temporal logics such as CTL and CTL*. 

In Section 14.11 we formulate an elementary progress assumption on the be¬ 
haviour of processes, without which no useful liveness property of a system will 
hold. In the standard interpretation of temporal logic [mi] a stronger progress 
assumption is built in, but we argue that this stronger version is not a valid 
assumption in the context of reactive systems. In order to derive a progress 
assumption that is both necessary and justifiable in the reactive context we en¬ 
vision, we introduce the concept of an output action , which cannot be blocked by 
the context in which a process is running. Although output actions are common¬ 
place in many specification formalisms, their use in process algebra is limited at 
best, and we have not seen them used to define progress properties. The main 
reason for working with a language that is richer than CCS, is that restricted to 
CCS the set of output actions would be empty. 

In Section 14.21 we discuss weak and strong fairness assumptions and propose 
a formalisation in the context of process algebras like ABC by augmenting a 
process-algebraic specification P with a fairness specification , which is given as 
a collection of temporal logic formulas. This follows the traditional approach 
of TLA |T3] and other formalisms [9], “in which first the legal computations 
are specified, and then a fairness notion is used to exclude some computations 
which otherwise would be legal” [L. However, in order to do justice to the 
reactive nature of the systems under consideration, we need a more involved 
consistency requirement between the process-algebraic specification of a system 
and its fairness specification. 

In Section 14.31 we propose a justness assumption for parallel-composed tran¬ 
sition systems, essentially assuming progress of all the component processes. In 
the literature, such justness properties are typically seen as special cases of weak 
fairness properties, and the term justice is often used as a synonym for weak 
fairness. Here we consider justness to be a notion distinct from fairness, and 
propose a completely different formalisation. Fairness is a property of schedulers 
that repeatedly choose between tasks, whereas justness is a property of parallel- 
composed transition systems. Nevertheless, we show that our notion of justness 
coincides with the original notion of justice of m — a weak fairness property. 
This requires an interpretation of the work of m applied to LTSs involving a 
more precise definition—and decision—of what it means for a transition to be 
continuously enabled. 
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Table 1 . Structural operational semantics of ABC 



Finally, Section [5] addresses the question whether system specifications con¬ 
sisting of a process-algebraic and a fairness specification allow implementations 
that can be described entirely process-algebraic, i.e., without fairness component. 
Here an ‘implementation’ allows the replacement of nondeterministic choices by 
(more) deterministic choices following a particular scheduling policy. In the con¬ 
text of CCS we conjecture a negative answer by showing an extremely simple fair 
scheduling specification—given as a CCS expression augmented with a fairness 
specification -that could not be implemented by any CCS expression alone. This 
specification does allow an implementation in ABC without fairness component, 
which takes advantage of justness properties for output actions. 

2 ABC—An Algebra of Broadcast Communication 

The Algebra of Broadcast Communication (ABC) is parametrised with sets 
of agent identifiers, 28 of broadcast names and of handshake communication 
names', each A £ s8 comes with a defining equation A = P with P being a 
guarded ABC expression as defined below. 

The collections 28\ and 28! of broadcast and receive actions are given by 
28$ := ( 6 jJ [ b e 28} for jj £ {!,?}. The set c ta of handshake communication co¬ 
names is 8? := {c | c £ &}, and the set 3^ of handshake actions is Jf? := bJ 8?, 
the disjoint union of the names and co-names. The function . is extended to 382 
by declaring c = c. 

Finally, Act := 28\ bJ 28! bJ 388 bJ {r} is the set of actions. Below, A,B,C range 
over s2, b over 28, c over 382, 77 over 388 U {r} and a, £ over Act. A relabelling is a 
function /: {28 —> 28) U —> 8?). It extends to Act by /(c) = /(c), /(fojj) = /( 6 )D 

and /(r) := r. The set Exabc of ABC expressions is the smallest set including: 
0 inaction a.P prefixing P + Q choice 

P\Q parallel composition P\c restriction P[f] relabelling 

A agent identifier 
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for P,Q £ Exabc and relabellings /. An expression is guarded if each agent 
identifier occurs within the scope of a prefixing operator. The semantics of ABC 
is given by the labelled transition relation — >abc Q Exabc x Act x Exabc, where 
the transitions P -4- Q are derived from the rules of Table [T] 

ABC is basically the Calculus of Communicating Processes (CCS) [16] aug¬ 
mented with a formalism for broadcast communication taken from the Calculus 
of Broadcasting Systems (CBS) [20]. The syntax without the broadcast and re¬ 
ceive actions and all rules except [(Bro-l)[ (Bro-C) and (Bro-r) are taken ver¬ 


batim from CCS. However, the rules now cover the different name spaces; (Act) 


for example allows labels of broadcast and receive actions. The rule (Bro-c) 
without rules like (Par-l) and (Par-r) with label b\- implements a form of 


broadcast communication where any broadcast b ! performed by a component 
in a parallel composition is guaranteed to be received by any other component 
that is ready to do so, i.e., in a state that admits a 6?-transition. In order to 
ensure associativity of the parallel composition, one also needs this rule for com¬ 


ponents receiving at the same time (fti=tt 2 =?)- The rules (Bro-l) and (Bro-r) 


are added to make broadcast communication non-blocking: without them a com¬ 
ponent could be delayed in performing a broadcast simply because one of the 
other components is not ready to receive it. 

Theorem 2.1. Strong bisimilarity \l&j is a congruence for all operators of ABC. 

Proof. This follows immediately from the observation that all rules of Table [T] 
are in the GSOS format of Bloom, Istrail & Meyer, using [3] Theorem 5.1.2]. □ 

To establish the associativity of parallel composition of ABC up to strong bisim- 
ilarity (i±), we will employ a general result of Cranen, Mousavi & Reniers [5]. 
However, for this result to apply, we need a structural operational semantics of 
the language in the De Simone format |22] — so without negative premises. 

To this end, let 38: := {b: \ b £ 38} be the set of broadcast discards , and 
j£? := 38: U Act the set of transition labels. We enrich the transition relation of 
ABC with transitions labelled with discard communications, by adding the rules 

P ^ ; P' O ; Q' 

0 -^4 0 (DisO) a.P -^4 a.P (a^bl) (Disi) - f- - (Dis2) 

P + Q A P' + Q> 

to Table [T] allowing jt 1 =S 2 =S=: in (Bro-c)[J and letting t range over all of . 


Lemma 2.2. 


[20] P -^4 Q iff Q = P AP -^A , for P,Q £ Exabc and b £, 


Proof. A straightforward induction on derivability of transitions. 


Because of this, a negative premise P can be replaced by a o 
positive premise P -^4 P' and all rules (Bro) in Table [T] can be T 


unified into the single rule (Bro-c) where (Ji, tt 2 , t) range over {!,?,:} 
and o is defined by the table on the right. The resulting rules are 
all in the De Simone format. 


! ? 


The remaining cases are still undefined, i.e, (Jio : = : ojJ 2 = _ (for jji, tb A :)• 


l 
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Corollary 2.3. The original and modified structural operational semantics of 
ABC yield the same labelled transition relation — > abc when transitions labelled 
b: are ignored. 

In fact, our ‘modified’ operational semantics stems directly from CBS [20] . 

Theorem 2.4. In ABC, parallel composition is associative up to i±. 

Proof. The associativity depends on the generated transition relation only, and is 
preserved when ignoring transitions with a particular label. So by Corollarv l2.3l it 
suffices to investigate the modified semantics. The modified operational rules of 
ABC fit the ASSOC-De Simone rule format of [5], which guarantees associativity 
up to i±. The detailed proof that our rules fit this format is similar to the proof 
of Theorem 4.4 in [S]. □ 

3 Formalising Temporal Properties 

We will use Linear-time Temporal Logic (LTL) [19] to specify properties that 
one would like to establish for concurrent systems. For the purpose of this paper, 
any other temporal logic could have been used as well. 

We briefly recapitulate the syntax and semantics of LTL; a thorough and 
formal introduction to this logic can be found e.g. in mi- The logic is built from 
a set of atomic propositions that characterise facts that may hold in some state 
of a (concurrent) system. A classical example is that a ‘transition is is enabled’, 
denoted by en(is). 

LTL formulas are interpreted on paths in a transition system^ where each 
state is labelled with the atomic propositions that hold in that state. A path n 
is a finite or infinite sequence of states such there is a transition from each state 
in 7 r to the next, except the last one if 7 r is finite. An atomic proposition p holds 
for a path 7r if p holds in the first state of 7r. 

LTL [T9] uses the temporal operators X, G, F and u@ The formulas X0, 
G (j> and F(f mean that </> holds in the second state on a given path, globally in 
all states, and eventually in some state, respectively; (pTJip means that if will 
hold eventually, and (f holds in all states until this happensQ Here a formula 
cf is deemed to hold in a state on a path tt iff it holds for the remainder of n 
when starting from that state. LTL formulas can be combined by the logical 
connectives conjunction A, disjunction V, implication => and negation 

An LTL formula holds for a process, modelled as a state in a transition 
system iff it holds for all complete paths in the system starting from that stated 
A path is complete iff it leaves no transitions undone without a good reason; in 
the original work on LTL m the complete paths are exactly the infinite ones, 
but in Section 0] we propose a different concept of completeness: a path will be 

2 A transition system is given by a set S of states and a set T C S x S of transitions. 

3 X and U were not introduced in the original paper [T9]; they were added later on. 

4 G and F can be expressed in terms of U: Ftf = trueUc)) and G(f = —>F—i^. 

5 A path staring from a state s is also called a path of s. 
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considered complete iff it is progressing, fair and just, as defined in Sections 14.11 
14.21 and rOl respectively!! 

Below we will apply LTL to the labelled transition system T generated by 
the structural operational semantics of ABC0 Here, the most natural atomic 
propositions are the transition labels: they tell when an action takes place. These 
propositions hold for transitions rather than for states. Additionally, one can 
consider state-based propositions such as en[y). In languages that maintain data 
variables!! propositions such as ‘x < 7’ that report on the current value of such 
variables can also be associated to the states. 

To incorporate the transition-based atomic propositions into the framework 
of temporal logic, we perform a translation of the transition-labelled transition 
system T into a state-labelled transition system S, and apply LTL to the latter. A 
suitable translation, proposed in [6], introduces new states halfway the existing 
transitions—thereby splitting a transition t into i\ t- —and attaches transition 
labels to the new ‘midway’ states. If we also have state-based atomic propositions 
stemming from T, we furthermore declare any atomic proposition except en(v) 
that holds in state Q to also hold for the new state midway a transition P —> Q. 
LTL formulas are interpreted on the paths in S. Such a path is a sequence of 
states of S, and thus an alternating sequence of states and transitions from T. 
Here we will only consider paths that are infinite or end in a state of T; paths 
ending ‘midway a transition’ will not be complete, progressing, fair or just. 

Below we use LTL to formalise properties that say that whenever a pre¬ 
condition (f> pre holds in a reachable state, the system will eventually reach a 
state satisfying the postcondition (j> post . Such a property is called an eventuality 
property in pT9]; it is formalised by the LTL formula G \cf> pre => F</> post ). 


Example 3.1. In a language like ABC we can model a network by means of a 
parallel composition of processes running on the nodes in the network. Each 
of those processes Ai, for 1 < i < n, could be specified by a defining equation 
Ai = Pi, where Pi always ends with a recursive call to Ai. This way, the be¬ 
haviour specified by Pi is repeated forever. The processes Ai send messages to 
each other along shared channels. Here a message m transmitted along a broad¬ 
cast or handshake channel is modelled by a name c m £ or c m £ t if. 

Suppose the process Aq can receive messages m £ {l,...,fc} from the envi¬ 
ronment. This could be modelled by A 0 = Ci.Pq H- + Ck-P® ■ The behaviour 

of the nodes in the network could be specified so as to guarantee that such a 
message will eventually reach the node running the process A n , which will de¬ 
liver it to the environment by performing the broadcast d m \. We may assume 
that no other nodes can perform the actions c m or d m \. 


6 We declare a formula X0 false on any path that lacks a second state. 

' A labelled transition system (LTS) is given by a set S of states and a transition 
relation T C S x Jz? x S for some set of labels . The LTS generated by ABC has 
S := Exabc and T := — >-abc- 

8 such as the algebra for wireless networks AWN j8|; see below 
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A useful property that this network should have is packet delivery: any mes¬ 
sage received from the environment by Aq will eventually be delivered back to 
the environment by A n . In LTL it can be formulated as G(c m =>■ F d m \). 

In j8 we model a routing protocol in a process algebra for wireless networks 
(AWN) that captures dynamic topologies, where nodes drift in and out of trans¬ 
mission range, and communication between two nodes is successful only when 
they are within transmission range of each other. In this context a packet de¬ 
livery property is formulated that can be obtained from a property like the one 
above by incorporating a number of side conditions. 


4 Progress, Fairness and Justness 

In [8] Sect. 9], as well as above, we formalise properties that say that under 
certain conditions some desired activity will eventually happen, or some desired 
state will eventually be reached. As a simple instance consider the transition 
systems in Figures QJa)-(c), where the double-circled state satisfies a desired 
property <fi. The formula G(a => F</>) says that once the action a occurs, eventu¬ 
ally we will reach a state where (f> holds. We investigate reasons why this formula 
might not hold, and formulate assumptions that guarantee it does. 

4.1 Progress 

The first thing that can go wrong is that the process of Figure [L]a0 performs 
a, thereby reaching the state s, and subsequently remains in the state s without 
ever performing the internal action r that leads to the desired state t, satisfying 
c i>. If there is the possibility of remaining in a state even when there are enabled 
internal actions, no useful liveness property about processes will ever be guar¬ 
anteed. We therefore make an assumption that rules out this type of behaviour. 

A process in a state that admits an internal actior F°1 will eventually ,p , 
perform an action. 

© is called a progress property. It guarantees that the process depicted in 
Figure [IJa) satisfies the LTL formula G(a =>• F (j>). We cannot assume progress 
when only external actions are possible. For instance, the process of Figure[Tta) 
will not necessarily perform the action a, and hence need not satisfy the formula 
F <f>. The reason is that external actions could be synchronisations with the en¬ 
vironment, and the environment may not be ready to synchronise. In ABC this 
can happen if a is a handshake action c G Jf? or a receive action 6? G ^?. Here it 
makes sense to distinguish two kinds of external actions: those whose execution 
requires cooperation from the environment in which the process runs, and those 

9 Following the approach of CCS m we identify processes and states, and do not 
use a notion of an initial state. When speaking of a process depicted graphically, by 
default we mean the state indicted by the short arrow in the figure. 

10 ABC offers only one internal action t. Any other action is called external. 
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Fig. 1 . Progress, Fairness and Justness 


that do not. We call the latter kind output actions. As far as progress properties 
go, output actions can be treated just like internal actions: 

A process in a state that admits an output action will eventually , „ . 

perform an action. ' 2 

In case a is an output action, which can happen independent of the environment, 
the formula F0 holds for the process of Figure [Ua). In the remainder we treat 
internal actions and output actions together; we call them non-blocking actions. 

We formalise ED> and d W 2 D through a suitable modification of the definition 
of a complete path. In early work on temporal logic, formulas were interpreted 
on Kripke structures: transition systems with unlabelled transitions, subject to 
the condition of totality, saying that each state admits at least one outgoing 
transition. In this context, the complete paths are defined to be all infinite paths 
of the transition system. When giving up totality, it is customary to deem com¬ 
plete also those paths that end in a state from which no further transitions are 
possible [6]. Here, we go a step further, and consider paths that are either infinite 
or end in a state from which no further non-blocking actions are possible. Those 
paths are called progressing. This definition exactly captures ED) and ED- 

This proposal is a middle ground between two extremes. Dropping all progress 
properties amounts to defining each path to be complete. This yields a temporal 
logic that is not powerful enough to establish nontrivial eventuality properties. 
Defining a path to be complete only when it cannot be further extended, on 
the other hand, incorporates progress properties that do not hold for reactive 
systems. It would give rise to the unwarranted conclusion that the property F cj> 
holds for the process of Figure [T| a), regardless of the nature of a. 

As we will show, progressing paths do not capture fairness and justness prop¬ 
erties; hence they should not be called complete. In Sections [4. 21 and POl we will 
propose a notion of a complete path that is progressing and also captures such 
properties. This restriction concerns the infinite paths only; for finite paths com¬ 
plete will coincide with progressing. 

It remains to decide which of the external actions generated by the structural 
operational semantics of a language should be classified as output actions. Some 
actions cannot be output, since they can be blocked by the environment. In 
ABC, any handshake action c E can be blocked by restriction. Since (c.0)\c 
cannot perform any action, c cannot be output. For the remaining external 
actions, the user can decide whether they are output or not. For ABC we decide 
that a broadcast ( b \) is an output action, whereas a receive (&?) is not. Informal 
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intuition explains the reason: a process that broadcasts a message should be able 
to perform this action independent of whether other processes are receiving it. 
On the other hand, a process should only be able to receive a message that is 
sent by another process. 

The above analysis assumes the original operational semantics of ABC, with 
negative premises. For the modified semantics with discard-transitions, the ques¬ 
tion arises whether b: should count as an output action. Here the right answer 
is that b: is a transition label that does not count as an action at all. The rea¬ 
son is that we want our progress property d /A D to imply that the ABC process 
61 ! . 62 !-0 will eventually execute the broadcast action 62 - However, a potentially 
complete path that invalidates this property consists of b± ! followed by infinitely 
many broadcast discards b\\ (or fo:)- I n the original operational semantics such 
a path does not exist, and the property is satisfied. To obtain the same result 
in the modified operational semantics, we classify b: as a non-action. This way, 
( IF 2 I ) says that after b\: the process will eventually perform a transition that is 
not a discard; this must be 62 b Formally, this is achieved by excluding from 
the definition of progressing path all paths that end in infinitely many discard- 
transitions (all looping in the final state), where the final state in the path admits 
a non-blocking action. To avoid further encounters with this complication, we 
will henceforth assume the original operational semantics. 


4.2 Fairness 

With the progress requirements El and El embedded in our semantics of LTL, 
the process of Figure QIa) satisfies the formula G(a => F<^>). Yet, the process of 
FigureQJb) does not satisfy this formula. The reason is that in state s a choice is 
made between two internal transitions. One leads to the desired state satisfying 
(j), whereas the other gives the process a chance to make the decision again. This 
can go wrong in exactly one way, namely if the r-loop is chosen every time. 

For some applications it is warranted to make a global fairness assumption , 
saying that in verifications we may simply assume our processes to eventually 
escape from a loop such as in Figure Gib) and do the right thing. A process- 
algebraic verification approach based on such an assumption is described in [ 2 ] . 
Moreover, a global fairness assumption is incorporated in the weak bisimula¬ 
tion semantics employed in m- Different global fairness assumptions in process 
algebra appear in [4j. 

An alternative approach, which we follow here, is to explicitly declare cer¬ 
tain choices to be fair, while leaving open the possibility that others are not. A 
strong fairness assumption requires that if a task is enabled infinitely oftenP^l 
but allowing interruptions during which it is not enabled, it will eventually be 
scheduled. Such a property is expressed in LTL as G(GF-0 =» F^)E or equiva¬ 
lently GF-0 =>■ GF<j>; here if is the condition that states that the task is enabled, 

11 or in the final state of a run, although for many tasks this is a logical impossibility 

12 These properties were introduced in LTL in [TD] under the name ‘responsiveness to 
persistence’. 
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whereas <j> states that it is being executed. A weak fairness assumption requires 
that if a task, from some point onwards, is perpetually enabled, it will eventu¬ 
ally be scheduled. In LTL this is expressed as G(Gf/> =>- F0)0 or equivalently 
FGip => GF0. 

If a formula if holds in state s of Figure QJb), and in t , then the strong 
fairness assumption G(GFt/> =>■ F(/>) ensures the choice at s to be fair. If ip even 
holds in (or during) the transition that constitutes the r-loop, the weak fairness 
assumption G(G^ => F <p) suffices. If this property is part of the specification, the 
process of Figure QJb) will satisfy the desired eventually property G(a =>■ F</>). 

In general, we propose a specification framework where a process is specified 
by a pair of a process expression P (for instance in the language ABC) and a 
fairness specification JP, consisting of a collection of LTL formulas (where for 
instance the actions of ABC are allowed as atomic propositions). Typically, 3P 
contains strong or weak fairness properties. 

The semantics of such a specification is again a pair. The first component is 
the state P in the LTS generated by ABC, and the second component, the set 
of fair paths, is a subset of the progressing paths starting from P, namely those 
that satisfy the formulas in &. 

We require the state P in the LTS and the fairness specification to be con¬ 
sistent with each other. By this we mean that from P one cannot reach a state 
from where, given a sufficiently uncooperative environment, it is impossible to 
satisfy the fairness specification in other words [121 , ‘the automaton can never 
“paint itself into a corner” ’. In pna this requirement is called machine closure , 
and demands that any finite path in the LTS, starting from P, can be extended 
to a path satisfying JP. Since we deal with a reactive system here, we need a 
more involved consistency requirement, taking into account all possibilities of 
the environment to allow or block transitions that are not fully controlled by the 
specified system itself. This requirement can best be explained in terms of a two 
player game between a scheduler and the environment. 

The game begins with any finite path 7r starting from P, ending in a state 
Q £ ExabC) chosen by the environment. In each turn, first the environment 
selects a set next(Q) of transitions originating from Q-, this set has to include 
all transitions labelled with non-blocking actions originating from Q, but can 
also include further transitions starting from Q. If next(Q) is empty, the game 
ends; otherwise the scheduler selects a transition from this set, which is, together 
with its target state, appended to 7r, and a new turn starts with the prolonged 
finite path. The result of the game is the finite path in which the game ends, 
or- if it does not—the infinite path that arises as the limit of all finite paths 
encountered during the game. The game is won by the scheduler iff the result 
is a progressing^ path that satisfies JP. Now P is consistent with JP iff there 
exists a winning strategy for the scheduler. 


13 These properties were introduced in LTL in ca under the name ‘responsiveness to 
insistence’, and deemed ‘the minimal fairness requirement’ for any scheduler. 

14 When adopting our proposal of Section T4. 3 1 the resulting path should even be just. 
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4.3 Justness 

Now suppose we have two concurrent systems that work independently in par¬ 
allel, such as two completely disconnected nodes in a network. One of them is 
modelled by the transition system of FigureQJa), and the other is doing internal 
transitions in perpetuity. The parallel composition is depicted on the left-hand 
side of Figure [He). According to our structural operational semantics, the over¬ 
all transition system resulting from this parallel composition is the one depicted 
on the right. In this transition system, the LTL formula G(a =>■ F <j>) is not valid, 
because, after performing the action a, the process may do an infinite sequence 
of internal transitions that stem from the ‘right’ component in the parallel com¬ 
position, instead of the transition to the desired success state. Yet the formula 
G (a =>■ F(f>) does hold intuitively, because no amount of internal activity in the 
right node should prevent the left component from making progress. That this 
formula does not hold can be seen as a pitfall stemming from the use of in¬ 
terleaving semantics. The intended behaviour of the process is captured by the 
following justness property: 

If a combination of components in a parallel composition is in a state 
that admits a non-blocking action, then one (or more) of them will (J) 
eventually partake in an action. 

Thus justness guarantees progress of all components in a parallel composition, 
and of all combinations of such components. In the ABC expression ((P|Q)\a)|I? 
for instance, we might reach a state where P admits an action c £ Jt? with 
c ^ a and R admits c. Thereby, the combination of these components admits an 
action r. Our justness assumption now requires that the combination of P and 
R will eventually perforin an action. This could be the r-action obtained from 
synchronising c and c, but it also could be any other action from either P or R. 

Note that progress is a special case of justness, obtained by considering any 
process as the combination of all its parallel components. 

We now formalise the justness requirement 0- 
Any transition P\Q — > R derives, through the rules of Table |TJ from 

— a transition P —^ P' and a state Q, where R = P'\Q , 

— two transitions P -^4- P' and Q Q' , where R = P'\Q ', 

— or from a state P and a transition Q —^4 Q' , where R = P\Q'. 

This transition/state, transition/transition or state/transition pair is called a 
decomposition of P\Q —A R ; it need not be unique. Now a decomposition of a 
path 7T of P\Q into paths and 7T2 of P and Q, respectively, is obtained by 
decomposing each transition in the path, and concatenating all left-projections 
into a path of P and all right-projections into a path of Q —notation tt £ 7Ti |7r2 - 
Here it could be that n is infinite, yet either iri or 7T2 (but not both) are finite. 
Again, decomposition of paths need not be unique. 

Likewise, any transition P[f] —R stems from a transition P -^4 P', where 
R = P '[/]. This transition is called a decomposition of P[f] —A R. A decom¬ 
position of a path 7r of P[f] is obtained by decomposing each transition in the 
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path, and concatenating all transitions so obtained into a path of P. In the same 
way one defines a decomposition of a path of P\c. 

We now define a path of a process to be just if it models a run that can 
actually occur in some environment, even when postulating 0; we call it Y-just, 
for Y C Jff, if it can occur in an environment that from some point onwards 
blocks all actions in Y U 831. 

Definition 4.1. Y-justness , for Y C Jl?, is the largest family of predicates on 
the paths in the transition system S associated to the LTS T of ABC such that 

— a finite F-just path ends in a state of T that admits actions from YYJ,W! only; 

— a y-just path of a process P\Q can be decomposed into an X-just path of P 

and a Z- just path of Q such that YDXUZ and XnZ=0 —here Z:={c \ c€Z}- 

— a F-just path of P\c can be decomposed into a FU{c, c}-just path of P; 

— a F-just path of P[f] can be decomposed into an / _1 (F)-just path of P; 

— and each suffix of a F-just path is F-just. 

A path is just if it is F-just for some F C JY. 

The last clause in the second requirement prevents an X-just path of P and a 
F-just path of Q to compose into an XUF-just path of P\Q when X' contains an 
action c and Z the complementary action c. The reason is that no environment 
can block both actions for their respective components, as nothing can prevent 
them from synchronising with each other. The fifth requirement helps character¬ 
ising processes of the form b. 0+ (A|6.0) and a.(A|6.0), with A d = a.A. Here, the 
first transition ‘gets rid of’ the choice and of the leading action a, respectively, 
and reduces the justness of paths of such processes to their suffixes. 

If F C Z then any F-just path is also Fqust. As a consequence, a path is 
just iff it is J^-just. In Appendix lAl we show that a finite path is just iff it does 
not end in a state from which a non-blocking action is possible, i.e., iff it is 
progressing as defined in Section l4Jl 

A path is called complete if it is fair as well as just, and hence also progressing. 

The above definition of a just path captures our (progress and) justness 
requirement, and ensures that the formula G(a =>■ F^>) holds for the process 
of Figure [ljc). For example, the infinite path n starting from r that after the 
a-transition keeps looping through the r-loop at s can only be derived as 7 Ti| 7T2, 
where 7Ti is a finite path ending right after the a-transition. Since 7Ti fails to be 
just (its end state admits a r-transition), ir fails to be just too, and hence does 
not count when searching for a complete path that fails to satisfy G(a => Fcj). 

4.4 Justness versus Justice 

The concept of justice was introduced in [14]: ‘A computation is said to be just 
if it is finite or if every transition which is continuously enabled beyond a certain 
point is taken infinitely many times.’ In LTL this amounts to FG en{v) => GF v 
for each transition v, thus casting justice as a weak fairness property. 

In [14| the identity of a transition, when appearing in a parallel composition, 
is not affected by the current state of the parallel component. For instance, the 
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two transitions c.O|d.O 0|d.0 and c.0|0 0|0 —they differ in their source and 

target states—are seen as the same transition of the process c.O|d.O, stemming 
from the left component and scheduled either before or after the d-transition of 
the right component. In Appendix iDl to be read after IBl and ICl we introduce the 
notion of an abstract transition —an equivalence class of concrete transitions —to 
formalise the transitions intended in [14]. 

In the context of reactive systems, an (abstract) transition v typically is 
a synchronisation between the system and its environment. In case the envi¬ 
ronment does not synchronise, v cannot happen, even when it is continuously 
enabled. For this reason, here justice is only reasonable for abstract transitions 
v labelled with non-blocking actions. 

In applying the concept of justice from [14 to LTSs, there is potential am¬ 
biguity in what counts as ‘continuously’. Consider the ABC system specified by 
B = c.B + 6!.0. By Definition 14.11 the computation consisting of cs only is just; 
it satisfies 0. However, it could be argued that b\ is continuously enabled. This 
would make the computation unjust in the sense of |14j . On the other hand, the 
choice between c and b ! may be non-deterministic, and could always be resolved 
in favour of c. Therefore we do not consider this computation unjust, and adopt 
the principle of ‘noninstantaneous readiness’ [Tj, stating that the enabledness 
of the b\ is interrupted when performing the c-transition. In our model, this is 
implemented by the midway states corresponding with transitions. As a result, 
we judge the specified execution just, and hence do not claim that 6! will happen 
eventually. 

On the other hand, in our vision the enabledness of a transition cannot be 
interrupted by performing a concurrent transition. For instance, the execution 
cP of the process Cj&!.0, where G = c.C, is unjust, because the &!-transition vj,\ 
is continuously enabled and never taken. In Appendices [O and |D] we formalise 
this by a novel definition of the predicates en(is) , such that en(vb\) holds during 
the transition CJ|6!.0 C|6!.0. 

In doing so, we have to overcome a problem illustrated by the process C\B 
with B and C as above. Whether the path C\B -£-> C\B -A* .. . counts as be¬ 
ing just by the mantra of m depends on whether en(iy,i) holds during each 
transition C\B -A* C\B in that path. This, in turn, depends on whether these 
transitions originate from C, so that they are concurrent with vi,i, or from B. We 
formalise this by using a richer transition system IA in which the two transitions 
C\B -A* C\B are distinguished. The states of U are the states of T together 
with the derivations of transitions of T from the rules of Table Q] -the latter are 
the concrete transitions alluded to above. The transitions of IA are P —> x and 
X —t Q, for any derivation \ of a transition P -A* Q. The predicates en{v) are 
defined on the states of U. The transition system S associated to the LTS T of 
ABC can be obtained from IA by consistently identifying multiple derivations of 
the same transition. Now, any path tt in IA projects onto a path tt in <S, and any 
path in S is of the form tt. Details can be found in Appendix IBl 

In the literature [7fl5j , the concept of weak fairness often occurs as a synonym 
for “justice”. At the same time, the potential ambiguity in what counts as being 
continuously enabled is resolved differently from the approach we take here: 
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a transition that from some point onwards is enabled in every state cannot be 
ignored forever. Under this notion of weak fairness, the system B discussed above 
will surely perform the frl-action. It would be useful to have different names for a 
concept of justice or weak fairness that adopts the principle of noninstantaneous 
readiness and one that does not. 

The following theorem states that the former concept of justice is in perfect 
agreement with our notion of justness of Section 14.31 Its proof can be found in 
Appendix [E] 

Theorem 4.2. A path of an ABC process is just in the sense of Definition \4-1] iff 
it is of the form 7? for a path tt in U that satisfies the LTL formulas FG en{v) => 
GF v for each abstract transition v with £(v) £ Act a non-blocking action. 

5 Implementing Fairness Specifications 

For certain properties of the form (\J i GFa^) =>• (\/ ■ GFh,) where the eq and 
bi are action occurrences—hence for specific strong fairness properties—one can 
define a fairness operator that transforms a given LTS into a LTS that satisfies 
the property m- This is done by eliminating all the paths that do not satisfy 
the property via a carefully designed parallel composition. In the same vein, 
we ask whether any process specification involving a fairness specification can 
be implemented by means of a process-algebraic expression without fairness 
component. Here we give an example that we believe cannot be implemented in 
standard process algebras like CCS. To make this more precise, let CCS 1 be the 
fragment of ABC without receive actions; equivalently, this is the fragment of 
CCS in which certain names b induce no co-names b and no restriction operators 
\b. These actions are deemed output actions, meaning that we do not consider 
environments that can prevent them from occurring. 

Consider the CCS 1 process (7i | G | I 2 )\ci\c 2 , where 

Ii d = n.Ci.Ii (i £ {1,2}) and G = f a-h.e.G + c 2 .t 2 .e.G 
augmented with the fairness specification /\ i=1 2 G(rj => F(fJ)). 

Here ti,t- 2 , e are output actions. This process could be called a fair scheduler. 
The actions r\ and r 2 can be seen as requests received from the environment 
to perform tasks fi and t 2 , respectively. Each n triggers a task ti. Moreover, 
between each two occurrences of ti and tj an action e needs to be scheduled. 

Conjecture 1. There does not exist a CCS ! expression G such that the process 
(Ii | G | I 2 )\ci\c 2 , with Ii and I 2 as above, has the following properties: 

1. On each complete (= just) path, each rt is followed by a ti. 

2. On each finite path no more tiS than rts occur. 

3. Between each pair of occurrences ofU and tj (i,j£{ 1, 2}) an action e occurs. 

We use CCS 1 rather than CCS to prevent the environment invalidating 1. by 
disallowing ti. We believe that there is no way to encode a fair scheduler with 
these properties in CCS’ without the help of a fairness specification. 
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However, we can do it in ABC: 


T de f | T 

h = n.ci'.Ji 

G = f ci?.Gi + c 2 ?.G 2 
G, = f Cjl.Gij+ti-G' 

, (-a 

ij — j 


h d — r 2 .c 2 !./2 

G' d M e .G + ci?.Gi + coJ.G’ 2 
G' e.Gi + Cjl.GG 
G'J- e.G, 7 


with *,j € {1,2} and i ^ j. This scheduler satisfies the fairness specification 
since the justness properties for output actions require that once r, occurs, cd 
must follow, and then ti will eventually happen, at the latest when G^, is reached. 

Currently, it is an open question whether arbitrary fairness specifications can 
be implemented in ABC. 


6 Conclusion and Outlook 

In this paper we have investigated how progress, fairness and justness assump¬ 
tions can be handled within a process-algebraic specification formalism. Our 
semantics of a process is a state P in an LTS together with a set of complete 
paths: paths of P that are progressing , fair and just. We specify the fair paths by 
means of temporal logic, using a fairness specification in addition to a process- 
algebraic expression P. The progressing and just paths, on the other hand, are 
completely determined by the syntax of P. 

To demonstrate that the introduced approach is not only a theoretical result, 
we have applied the formalism to a more involved process algebra called AWN 
(Algebra for Wireless Networks) and analysed the IETF-standardised Ad hoc 
On-demand Distance Vector (AODV) routing protocol [IT] . We investigated two 
fundamental properties of routing protocols: route discovery and packet delivery. 
Route discovery—a property that every routing protocol ought to satisfy—states 
that if a route discovery process is initiated in a state where the source is con¬ 
nected to the destination and no (relevant) link breaks, then the source will 
eventually discover a route to the destination. Surprisingly, using the presented 
mechanism we could show that this property does not hold. The second property, 
packet delivery, was already sketched in Section [3} it has been shown that this 
property does not hold either. As a consequence, AODV does not satisfy two 
of the most crucial properties of routing protocols. Details can be found in 0. 
The formalisation of progress, fairness and justness presented here was crucial 
for these results; without making these assumptions, no routing protocol would 
satisfy the route discovery and packet delivery properties. 

Future work will include the definition of suitable semantic equivalences on an 
LTS together with a set of complete paths, and their algebraic characterisations. 
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Proposition A.l. A finite path in S is Y-just, for Y C Jif, iff its last state is a 
state Q £ Exabc of T and all transitions enabled in Q are labelled with actions 
from Y U 381. 

Proof. “=>”: This follows immediately from the first requirement of Definition l4.ll 
“<S=”: Define a path in S to be Y-justfi n if it is finite, its last state is a state 
Q £ Exabc of T, and all transitions enabled in Q are labelled with actions from 
Y\j£81. Then the family of predicates F-justnessg n , for FCJf, satisfies the five 
requirements of Definition 14.11 Since F-justness is the largest family of predicates 
satisfying those requirements, F-justnesSfi n implies F-justness. □ 

It follows that a finite path is just iff it is progressing. 


B A Concrete Kripke Structure for ABC 


In Section [3] we extracted a transition system S with unlabelled transitions—a 
Kripke structure EL but without the condition of totality—out of the LTS T 
generated by the structural operational semantics of ABC. The states of S are 
the states of T, that is, Exabc 5 together with the transitions P -^3 q 0 f 77 
The transitions of S are P — > (P -^4 Q) and (P -^3 Q) —»■ Q, for any transition 
P -^4 Q of T- Next, we would like to define predicates en(y) on the states of S 
indicating whether an (abstract) transition v is enabled in a state s of S. If s is 
actually a state of T, this is the case if s is the source of v. If s is a transition ( of 
T, this should be the case if v is enabled in the source of £, and moreover v and 
are concurrent, in the sense that they stem from different parallel components. 
A problem with this plan has been illustrated in Section l4~4l bv the process CjP, 
with B = c.B + 6!.0 and C = c.C. The 6!-labelled transition v is enabled in (or 
during) the transition CjP -^4 C|P if this transition stems from C, but not if it 
stems from B. However, our transition system S fails to distinguish transitions 
based on the components from which they stem. 

For this reason, we here define a different Kripke structure U that makes the 
required distinctions. The states of U are the states Exabc of T together with 
the derivations of transitions of T from the rules of Table [T] —the latter are the 
concrete transitions alluded to in Section Ol The transitions of U are of the 
form P —» % and x Q> f° r T-states P,Q and derivations x corresponding 
to a transition P -A Q. The Kripke structure S can be obtained from U by 
consistently identifying multiple derivations of the same transition. 

We start by giving a name to every derivation of an ABC transition from the 
rules of Table [1] The unique derivation of the transition a.P -^4 P using the 
rule (Act) is called —»P. The derivation obtained by application of (Comm) or 


(Bro-c) on the derivations x an d C °f the premises of that rule is called \j(j. 


The derivation obtained by application of (Par-l) or (Bro-l) on the derivation 
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y of the (positive) premise of that rule, and using process Q at the right of 


is \\Q. In the same way, (Par-r) and (Bro-r) yield P|£, whereas (Sum-l) 
(Sum-r)[ |(Rel)[ I(Res) and |(Hkc) 1 yield x+Q , P+y, x[f] 


Q write src(y) : = P, 


x\c and A:x■ For 
target(x) := Q and 


a derivation y of a transition P 
£(x) := a. 

It remains to define atomic propositions on U. Following Section [3] we have 
an atomic proposition a for each a G Act, and a state u of U is labelled with a 
iff u is a derivation of a transition P -A- Q. Additionally, Section [4.41 announced 
atomic propositions v and en(v) for each abstract transition v, this is the subject 
of Appendix [D] 

Let T be the mapping from the states of U to the states of S given by P = P 
for any process P G ExabCj and y — (P Q ) for any derivation x of a 
transition P -A- Q in P. Then each state of S is of the form u, and there is a 
transition u —> s in S iff there is a transition u —> v in U with v = s. A path 7r in 
U is a finite or infinite sequence U 0 U 1 U 2 .. ■ of states of U such that Ui —»• Uj+i 
for all i. This amounts to an alternating sequence of processes P G Exabc and 
derivations x of transitions from P. For any such path ir let 7? := U 0 U 1 U 2 .... 
Then 7? is a path in S, and furthermore any path in S is of this form. Both in U 
and in S we only consider paths that are infinite or end in a state of P. 


C An Asymmetric Concurrency Relation between 
Transitions 

We define a concurrency relation between the derivations of the outgoing 
transitions of a process P G Exabc- With \ we mean that the possible 
occurrence of y is unaffected by the possible occurrence of £. More precisely, y 
and ( need to be enabled in the state P, and y p" ( indicates that the occurrence 
of ( ends or interrupts the enabledness of y, whereas y ^ ( indicates that y 
remains enabled during the execution of £■ 

dcf 

Example C.l. Let P be the process A with A = a.A + c.A, and let y and £ 
be the derivations of the a- and c-transitions of P. Then y A* £, because the 
occurrence of £ interrupts the enabledness of y, even though right after £ has 
occurred we again reach a state where y is enabled. 

Example C.2. Let P be the process a.O|c.O, and let y and £ be the derivations 
of the a- and c-transitions. Then y ^* £, because the occurrence of £ does not 
affect the (parallel) occurrence of y in any way. 

Example C.3. Let P be the process 6!.0|(6?.0 + c.O), and let y and £ be the 
derivations of the b\- and c-transitions of P. The broadcast b ! is in our view 
completely under the control of the left component; it will occur regardless of 
whether the right component listens to it or not. It so happens that if 6! occurs 
in state P, the right component will listen to it, thereby disabling the possible 
occurrence of c. For this reason we have y £ but £ A* X■ 
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Definition C.4. Concurrency is the smallest relation on derivations such 
that 

_ X\Q P|C an d P\C X\Q if src(x) = P and src(() = Q, 

- xk v -* P 1C and <r|x ^ Cl P if src (x ) = P, snc(?) = src(C) and £($) G ^7, 

- X C implies x+P —* C+P, P+X —' P+C; x|P Cl-P and P|x ■—* P|C> 

- X'-’C implies x|P^-*CI£, xlC'-'Cl-P, -PIx^CIC and £|x^-*P|C if P = src(£), 

- x C implies xK CIC and c|x CIC if src(<;) = src(C) and £(<;) £ &?, 

- X ^ C A ? C implies xK CIC; and 

- X^C implies xY^CY, x[/l ^Cl/]; ^'-X'~ J ‘ A -C for any c£ Jf, relabelling 
/ and A £ $/, 

for arbitrary derivations Xi C> C; and expressions P,Q£ ExabC; provided that 
the composed derivations exist. We say that x and C are concurrent (in signs 
X-C) if X '—* C and C X- 

Observation C.5. The relation -—* is irreflexive. Moreover, if x '—* C then 
src(x) = src(C). 

This follows by a straightforward induction on the definition of 

Example C.6. Let A '= c.A and B d = c.B + (r.B + &!.0). Transition A\B A\B 
has 2 derivations: (H:AH)|P:((AP)+(t.P+&!. 0)) and H|P:(c.P+((A-P)+&!. 0)). 
Only the latter is concurrent with (A:AA)\B (using the first clause above). 

Example C.7. One has (((—>0)|c.0) + d.0)[f] ^ ((a.0|(A0)) + d.0)[/], using the 
first, third and seventh clauses above. Both are derivations of transitions with 
source ((a.O|c.O) + d.0)[f]. 

Example C.8. One has ((A0)|c.0)|((A-0)|c.0) (a.0|(A0))|(a.0|(A0))), using 

the first and sixth clauses above. Both are derivations of transitions with source 
(a.0|c.0)|(a.0|c.0). 

Example C.9. One has ((A0)|c.0)|(A0) (a.0|(A-0))|a.0, using the first and 

fourth clauses above. Both are derivations of transitions with source (a.0|c.0)|a.0. 

Example C.10. One has A-0 |((Ao) + c.O) &!.0 |(6?.0+(A0)), using the second 
clause above. Both are derivations of transitions with source 6!.0|(6?.0 + c.0). 
However, &!.0 |(6?.0+(A0)) A-0 |((Ao)+c.O). See Example 1 C. 3 1 for motivation. 

Example C.ll. One has ((-^>0) |c.0) |((—>0) + c.0) '—* (6!.0|(A0))|(6?0 + (AO)), 
using the first and fifth clauses above. Both are derivations of transitions with 
source (6!.0|c.0)|(&!.0 + c.0). 
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D Enabling Abstract Transitions 

Below we define the concept of an abstract transition as an equivalence class of 
concrete transitions, the latter being the derivations of ABC transitions from 
the rules of Table Q] The main idea is that a transition v stemming from one 
side of a parallel composition yields only one abstract transition of the parallel 
composition itself, regardless of the state of the other component, and, if v 
performs a broadcast action, regardless of whether the other component performs 
a receive action synchronising with v. 

Henceforth, zq zq and zq, ranges over abstract transitions, x, C, and £ over 
derivations, P, Q over ABC expressions, and u, v over states of U, which are 
either derivations or ABC expressions. 

Definition D.l. Let = be the smallest equivalence relation on derivations x 
with t(x) ^ satisfying 

- X\P = X\Q and P\x = Q\x, 

- x\s = x\ P and <r|x = P\x if ^(x) G B§\ (and thus £(q) £ &?), 

- X+P = X = P+X, A -X = X for A £ si, 

~ X = C implies y\c=C\c, x[f] =C[/]> x\ p = Cl-P and P|y = P|C, and moreover 

- X — C A C = C implies xk = CIC, 

for arbitrary derivations x> C, A £, and expressions P,Q £ Exabc, provided that 
the composed derivations exist. An equivalence class [x] = is called an abstract 
transition', it can uniquely be denoted by leaving out A:, P+ and +P and writing 
C|- for C|P or for Ck with £(£) £ 3 §\—and likewise _|C for P|C or for ?|C with 
£(£) £ — in all subexpressions of x- If v = [x]= then the derivation x is called 
a representative of the abstract transition v. 

By definition x — C implies £(x) = £{£)■ Setting £{[x\=) := £(x), we note 
that receive-actions are excluded, i.e., for any abstract transition v we have 

i(y) $ m. 

Observation D.2. If x\ u = i'i|'C 2 with £(x) ^ then x = v i- As a conse¬ 
quence, since no derivation is related to a process, x\ u ^ Q\C> f or an V deriva¬ 
tion C and Q £ Exabc • 

Observation D.3. If x[f] — C[/] or x\ c — C\ c then x = C- 

The abstract transitions, with their labels, can be seen as the smallest set 
such that 

-q-P is an abstract tr. for a £ JlUJfUjr} and P £ Exabc, and £(—>P) = a, 

— if v is an abstract tr. then so are v\_ and _|zq with £{v\I) = £(-\v) = £(v), 

— if zq and zq are abstract trs. with ^(zq)=^(zq) then so is zq |zq, with £(zq|zq)= t, 

— if zv is an abstract tr. with c ^ £{v) ^ c then so is v\c , with £{y\c) = £{y), and 

— if v is an abstract tr. and / a relabelling then so is z/[/], with £(i /[/]) = f(£(y)). 
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Abstract transitions only reflect the syntactical structure of derivations; they do 
not take semantics into account. Hence, i/|_ yf -\v and (_|z/)|- y^ _|(i/|_). 

For each abstract transition v we introduce atomic propositions v and en(y). 
The former says that v occurs. It holds for a state u of U iff u is a derivation 
( such that v = [£] = . The latter is defined by a case distinction on the type of 
state u. An abstract transition v is enabled (denoted by en(y)) in P £ Exabc iff 
P = src(x) for a representative \ of v. It is enabled in (or during) a derivation 
( iff v has a representative \ with % (. As we shall see, in that case v is also 

enabled in src(f) as well as target(f). We write u \= p if the atomic proposition 
p holds in the state u of U. 

Example D.f. The abstract transition v = _|(40), with c £ Iff and represen¬ 
tatives Xi = 0|(40) and X 2 = a.O + (e.0|(40)), is enabled during the deriva¬ 
tion ( = a.O + ((40)|c.0)) of the transition a.O + (e.O|c.O) -4 0|c.0. This is the 
case because X '2 w C- Accordingly, v is also enabled in the source src(f) = 
a.O + (e.O|c.O) as well as in the target target(f) = 0|c.0 of that transition. This 
example would break down without the identification % = P+x- 

Example D.5. Let C d = d.0|e.0. Then the abstract transition v = _[(4o|_) is 
enabled during the derivation ( = c.0|C:(d.0|40) of the transition c.0|C -4 
c.0|(d.0|0). Accordingly, it is enabled in the source src (() = c.0|C as well as in 
the target target(() = c.0|(d.0|0) of that transition. This example would break 
down without the identification C:(d.0 |_) = (g?.0 |_). 

d e f 

Example D.6. Let D = c.{bl .0 + e.D). In our view, the infinite path labelled 
(ce)^ of the process b\.0\D is unjust, because the output b\ is continuously en¬ 
abled, yet never taken. The idea is that the component b \.0 will perform this 
output regardless of whether the other component is listening. For this reason, 
we need to formalise this output as a single abstract transition v such that the 
path labelled (ce)“ satisfies FG en{y). However, in the state b\.0\D —and during 
the execution of b\.0\D:— >(6?.0 + e.D )—the derivation (—>0)|ZD is enabled, yet in 
the state 6!.0|(6?.0 + e.D) the derivation 4o|((4o) + e.D) is enabled. In order 
to regard these two derivations as representatives of the same abstract transition 
(->0)|_ we employ the equivalence x\Q = xK when £(x) £ £$\. 

Furthermore, during the execution of 6!.0|(&?.0 + 4D), a representative x 
of (—i0)|_ with src(x ) = &!.0|(6?.0 + e.D) needs to be enabled as well. The only 
candidate is % = 4o|((4o) + e.D), so 4o|((4o) + e.D) 6!.0|(6?.0 + 4D). 
This is further motivation for the second clause in the Definition IC.4I above. 

Lemma D.7. If a |= en(v) for a state u of U and an abstract transition v then 
u\v \= en{v |_) for any state u\v of U . 

Proof. We make case distinctions based on whether u and v are processes P, Q 
or derivations. 

— Suppose u = P \= en(v). Then P = src(x) for a representative x of v. 
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• Let v = Q £ Exabc- In case £(x) = b! and Q let ^ be a deriva¬ 
tion of a transition Q Q', Then there exists a derivation x|?) with 
src(x|<r) = P\Q, which is a representative of the abstract transition v\_. In 
all other cases there exists a derivation x|Q, with src(x\Q) = P\Qi which is 
a representative of the abstract transition v\_. Either way P\Q \= en(y |_). 

• Now let v = f be a derivation with Q := src(f). In case £(x) = b\ and 

Q -^-4, let c be a derivation of a transition Q -^4 Q'. Then there exists a 

derivation xK, with x|? '—* P|£, which is a representative of the abstract 
transition v\_. In all other cases there exists a derivation \|Q, with x\Q w 
P If, which is a representative of the abstract transition id— Either way 

PIC 1= en(H-). 

— Suppose u = ( |= en(v). Then x C f° r a representative x of v. 

• Let v = Q £ Exabc - In case £(x) = b\ and Q —4, let ^ be a derivation of a 
transition Q Q’. Then there exists a derivation x|<b with x|c * d1Q> 
which is a representative of the abstract transition zd- In all other cases 
there exists a derivation y| Q, with y| Q —* d|<3, which is a representative 
of the abstract transition v\_. Either way d|Q |= en(z*|_). 

• Now let v = f be a derivation with Q := src(£). In case £(x) = b\ and 

Q —T, let c be a derivation of a transition Q —-> Q’. Then there exists a 

derivation x|<b with xK d|£, which is a representative of the abstract 
transition zd- In all other cases there exists a derivation y| Q, with y| Q —» 
CIC, which is a representative of the abstract transition zd— Either wav 
Cl? h en(zd_). □ 

Lemma D.8. Let Ui |= en{vf) for i= 1, 2 with £(y\) = £(y 2 ) £ ■ Then iti |**2 |= 

en(v 1 1z^ 2 )? provided u\\u 2 is a state of U. 

Proof. We make case distinctions based on whether ui and U 2 are processes or 
derivations. 

Suppose Ui = Pi |= en(y.i) for *=1,2. Then Pi = srcfxi) I° r representatives 
Xi of z/j. Now src(yi|x 2 ) = -P 1 IP 2 and X 1 IX 2 is a representative of vi\v 2 . So 
P 1 I-P 2 h en{y i|z/ 2 )- 

Suppose Ui = Q |= en{y.i) for *=1,2. Then Xi * Cz for representatives \i °f v i- 
So X 1 IX 2 * C 1 IC 2 - Moreover, X 1 IX 2 is a representative of z*i|z* 2 , and thus C 1 IC 2 |= 
en{vi\v 2 ). 

Suppose Pi |= en(vi) and (2 |= en(y 2 ). Then Pi = src(x 1 ) and X 2 '-•* C 2 for 
representatives Xi °f v i- Now xi|X '2 P 1 IC 2 and X 1 IX 2 is a representative of 
vi\v 2 . So P 1 IC 2 h en(vi\v 2 ). 

The remaining case follows by symmetry. □ 

Lemma D.9. If u\= en{v), c £ and c ^ £{v) ^ c then u\c |= en(z*\c). 

Proof. We make a case distinction based on whether u is processes P or a deriva¬ 
tions d- 

Suppose P |= en(y). Then P = src(x) for a representative x of v. Now 
src(x\c) = P\c and x\ c is a representative of v\c. So P\c |= en(v\c). 

Suppose C |= en(y). Then x ^ C f° r a representative x of z*. So x\ c CV- 

Moreover, x\c is a representative of z*\c, and thus f\c \= en(is\c). □ 
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Lemma D.10. If u \= en(y) then u[f] |= en{y[f}). 

Proof. Similar to the proof of Lemma ID. 91 □ 

Proposition D.ll. If an abstract transition v is enabled during a derivation £ 
then v is also enabled in src(() as well as target (£). 

Proof. If v is enabled during £ then there is a representative y of v such that 
X'—’C- By Observation 1C.51 src(v) = src(£), so v is also enabled in src(£). 

For the other statement, we apply structural induction on y. 

Let x = ~^x’■ By Definition 1C.41 there is no derivation £ with y £, which 
is a contradiction to our assumptions. 

Let x = ^Ly'. Since y £, £ has the form A:£' with y' £'. As v = 
[y]= = [y'] = , v is also enabled during £', and by induction v is enabled in 
target(C) = target((). 

Let y = y'+P. Since y £, £ has the form £'+P with y' £'. As 
v = [y]= = [y 7 ] =, v is also enabled during £', and by induction v is enabled in 
target (£') = target((). 

The case y = P+y' follows by symmetry. 

Let y = y'\c. Since y £, £ has the form £'\c with y' • £'. So v’ := [y'] = 
is enabled during £', and by induction 2 / is enabled in target(^). Moreover, 
I{v') = I{x') ^ c, c. Consequently, using Lemma ID.91 v = v'\c is enabled in 
target(£')\c = target((). 

Let y = y'[/]. Since y £, £ has the form £'[/] with y' £'. So 2 / := [y']= 
is enabled during £', and by induction v' is enabled in target (£'). Consequently, 
using Lemma ID. 101 v = i/[/] is enabled in target (£')[/] = target (£). 

Let y = yi|P. Since y £, Definition 1C.41 offers three possibilities for £: 

— Suppose that £ has the form Q|£ 2 with src{xi) = Q and src{C, 2 ) = P. Then 
v\ := [yi]= is enabled in Q. Hence, by Lemma ID. 71 u = ([yi]=)|_ is enabled 
in P\target(^ 2 ) = target{Cf). 

— Suppose that £ has the form £i|P with yq £i. Then := [yq] = is enabled 

during £i, and by induction V\ is enabled in target (£i). Consequently, using 
Lemma I'D. 71 | _ is enabled in target{C,i)\P = target (£). 

— Suppose that £ has the form £i|£ 2 with xi v -* £1 and P = src(£ 2 ). Then 

2/1 := [y 1 ] = is enabled during £ 1 , and by induction 2 q is enabled in target^ 1 ). 
Consequently, using Lemma fD.71 | _ is enabled in target (£i)| target (£ 1 ) = 

target (£). 

The case y = P|y 2 follows by symmetry. 

Let y = yi|y 2 with £(x) = r. Then £(xi) = £{X 2 ) G ^■ Since y — £, 
Definition 1C.41 offers three possibilities for £: 

— Suppose £ has the form £1 |P with yi £1 and P = src(y 2 ). Then 2/1 := [yi] = 
is enabled during £ 1 , and by induction v\ is enabled in target (£ 1 ). Conse¬ 
quently, using Lemma ID. 71 v = zq|_ is enabled in target{C,\)\P = target (£). 

— The case that £ has the form P |£2 with y 2 ~* £2 and P = src(yi) follows by 
symmetry. 

























24 


R.J. van Glabbeek & P. Hofner 


— Suppose C has the form £i|£ 2 with \i Q f° r * = 1,2. Then z/j := [x*]= is 
enabled during £j, and by induction zy is enabled in target(Q). Consequently, 
using Lemma fP.81 z/ = zqjz^ is enabled in target{C,i)\target{C, 2 ) = target(f). 

Let x = Xi 1x2 with £(\) ^ t. Then £(x) G ^!, since the case £(x) = £{v) G BS1 
cannot occur. So £(x'i) = 6! and (.(X 2 ) = b? for some b £ or vice versa. 
W.l.o.g. we assume the first of these cases. Since x C> Definition 1C.41 offers 
five possibilities for 

— Suppose £ has the form P|£ 2 with P = src(xi) and src(x 2 ) = srcfa)- Then 
u x := [xi]= is enabled in P. Hence, by Lemma ID. 71 v = ([xi]=)|- is enabled 
in P\target{C, 2 ) = target(Q. 

— The possibility that ( = P \(2 with X 2 C 2 and P = src(x 1 ) is a special case 
of the last one. 

— Suppose £ has the form £1 \P with xi Ci and P = src(x 2 )- Then zq := [xi] = 
is enabled during £ 1 , and by induction V\ is enabled in target (( 1 ). Conse¬ 
quently, using Lemma [D. 71 v = zq|_ is enabled in target(C,x)\P = target (£). 

— Suppose £ has the form C 1 IC 2 with xi w * Ci and src(x 2 ) = src(£ 2 )- Then 
v\ := [xi]= is enabled during £ 1 , and by induction v\ is enabled in target{C,\). 
Consequently, using Lemma fD.71 v = vx\- is enabled in target((,x)\target(Q 2 ) = 
target {C). 

— The possibility £ = <^ 11<^2 with £* for * = 1, 2 is a special case of the 

previous one. □ 

Lemma D.12. For derivations x and £, x C implies x ^ £■ 

Proof. In case £(x) G BP. the statement is trivial by Definition ID.II so assume 
£(x) ^ We apply structural induction on %■ 

Let x = —*x'- By Definition 1C. 41 there is no derivation £ with x v -* £, which 
is a contradiction to the antecedent. 

Let x = A-.x!■ Since x w * £, C has the form A:Cf with yf • £'. Assume 
A\yf = A\Cf. Then, by Definition ID. 11 x' = A'-X’ = A:£' = £', a contradiction to 
the induction hypothesis. 

Let x = x'+P- Since x £, C has the form f'+P with x' ('■ Assume 

x'+P = C,'+P- Then, by Definition ID. II x' = x'+P = C+P = a contradic¬ 
tion to the induction hypothesis. 

The case x = P+x' follows by symmetry. 

Let x = x'\ c - Since x £i £ has the form £'\c with x' ('■ Assume 

x'\c = £'\c. Then, by Observation [EH x' = ('> a contradiction to the induction 
hypothesis. 

Let x = X'[f\- Since x £, C has the form £'[/] with x' ('■ Assume 

x'\f] = £'[/]• Then, by Observation lD.31 x' = Ci a contradiction to the induction 
hypothesis. 

Let x = Xi| Q- Note that f'(xi) = £(x) ^ Since x '~* £> Definition 1C.41 
offers three possibilities for £: 

— SuDoose that C has the form P\P>. Bv Observation ID.21 xiIQ^p|C 2 . 
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— Suppose that £ has the form £i|m with xi v -* Cl (combining the cases £i|Q 

and CiIC 2 )- Assume xi |Q = Cil M - Then, by Observation ID.21 — Cl; a 

contradiction to the induction hypothesis. 

The case \ = P |%2 follows by symmetry. 

Let x = X 1 IX 2 ■ As £(x) ^ either £(xi) ^ or £(x 2 ) 0 SSA- W.l.o.g. 

we assume the first. Since \ C Definition 1C.41 offers seven possibilities for £, 

which can be summarised by the following 4 cases. 

— Suppose £ has the form P\Q%. Then by Observation ID.21 yi |v-> ^ P|£ 2 - 

— The case where £ has the form £i|P with src(x 2 ) = P, src(x 1 ) = src(Ci) and 
£(Xi) G 3tP. cannot occur since £(xi) & & 1 -- 

— The case where £ has the form C 1 IC 2 with x '2 C 2 , src(x 1 ) = src(Ci) and 
^(Xi) G cannot occur either since £{xi) 

— Finally, suppose £ has the form £i|u with xi £i- Assume X 1 IX 2 = £i|u. 

Then, by Observation ID.21 xi = Cb a contradiction to the induction hypoth¬ 
esis. □ 


E Proof of Theorem 14.21 

Theorem [472] makes a connection between the 1-just paths in P (or equivalently 
<S) and a weak fairness property for paths in LA. To establish its “<*=”-direction, 
we introduce two intermediate concepts: the Y-just paths in LA , for Y C PP, and 
the ^-enabled paths in LA , for abstract transitions v. For the “=>•”-direction we 
introduce one intermediate concept: the ^-enabled paths in S. 

E.l The “^’’-direction 

Observation E.l. For a derivation x with src(x) = P 1 IP 2 we have either that 

— X has the form X 1 IP 2 with src(x 1 ) = Pl and target(x) = target(xi)\Pz, or 

— X has the form X 1 IX 2 with src(xi ) = Pi for i= 1, 2 
and target(x) = target{xi)\target{xi), or 

— x has the form Pi|x 2 with src(x 2 ) = P 2 and target(x) = Pi\target(xi)- 
Hence all processes and derivations on a path tt starting from a state Ui\u2 
of U have the form _|_. Let 7Ti be the sequence of left- and 7T2 the sequence 
of right-components of these processes and derivations, after (finite or infinite) 
subsequences of repeated elements are contracted to single elements. Then 7rj 
is a path of Ui (i= 1,2) and together they constitute the decomposition of n, 
denoted 7r ^ 7 Ti|7T2. 

Observation E.2. If src(x)=P\c then x = x'\ c with src(x')=P and target(x)= 
target (x')V- 

Hence all processes and derivations on a path 7r of a state u\c in U have the 
form _\c. Let tt' be the sequence obtained from 7r by stripping off these outermost 
occurrences of \c. Then tt' is a path of u, called the decomposition of 7 r, denoted 
tt ^ tt'\c. In the same way one defines the decomposition of a path 7r of a state 
«[/]; notation 7r ^ 7r'[/]. 
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Observation E.3. Let 7r be a path in U. Then 7r ^ 7 Ti| 7T2 implies tt £ tti |tt 2 - 
Likewise, if 7r ^ 7 r'\c or 7r ^ 7r'[/] then 7r' is a decomposition of 7r. 

Although in S the decomposition of a path from P\Q need not be unique, in IA 
it is. Armed with these definitions of decompositions of paths in IA , we define 
Fjustness, for F C jAf, on the paths of IA in the exact same way as on S (see 
Definition 14.11) . 

Proposition E.4. If a path tt in U is Y-just, for Y C J if, then so is the path tt 
in S. 

Proof. Define a path in S to be Y-justu, for Y C Jif, if it has the form 7r for a 
E-just path 7T in U. We show that the family of predicates F-justness^ satisfies 
the five requirements of Definition 14.11 

— A finite F-just ^ path 7?, with 7r a just path in IA , ends in some state P. Since 
P = P, 7r ends in the same state. Hence that state admits actions from F 
only. 

— Let 7T be a F-just path in U , so that tt, and hence 7r, starts from a process 
P\Q. Then 7r ^ 7 Ti| 7T2 for an X-just path 7Ti of P and a F-just path 772 of Q 
such that F D XUF and XflF = 0. By Observation IE.31 7r £ 7?i I 7 F 2 , where 7Ti 
is X-just^ and 7?2 is F-just u- 

— Let 7r be a F-just path in U starting from a process P\c. Then n ^ 7 r'\c for 
a FU{c, c}-just path n' of P. By Observation IE.31 tt' is a decomposition of tt, 
where if' is FU{c, c}-just^. 

— The case that if is a path of P[f] proceeds in exactly the same way. 

— Each suffix of n has the form tt' for tt' a suffix of 7r. So if if is F-just^ because 
tt is F-just then tt' must be F-just, and hence if is F-just^- 

Since F-justness is the largest family of predicates on paths in S that satisfies 
those requirements, F-justness u of paths in S implies F-justness of paths in S. 

□ 

Definition E.5. v-enabledness, for v an abstract transition, is the smallest fam¬ 
ily of predicates on the paths in U such that 

— a finite path is z/-enabled if its last state Q £ Exabc enables v, i.e. Q \= en(v); 

— a path tt ^ tti\tt -2 is z/-enabled if either v has the form zq|_ and 7Ti is zq- 
enabled, or v = _|zq and tt 2 is zq-enabled, or v = zq|zq and tti is zq-enabled 
for i = 1,2; 

— a path tt ^ tt'\c is z'-enabled if v has the form v'\c and tt' is z/-enabled; 

— a path tt ^ 7 r'[/] is z/-enabled if v has the form v'[f ] and tt' is z/-enabled; 

— and a path is z/-enabled if it has a suffix that is z'-enabled. 

Proposition E.6. Let tt he a path in IA and Y C Jif. If\ for all abstract tran¬ 
sitions v with i(y) ^ Y, tt is not v-enabled, then tt is Y-just. 

Proof. Define a path tt in IA to be Y-just en , for F C jAf, if it is z'-enabled for no 
abstract transition v with £{v) ^ F. Note that if 7r is F-just en , it is also F-just e „ 
for any F C Y' C jAf. We show that the family of predicates F-justness e n, for 
F C AZZ, satisfies the five requirements of Definition 14.11 
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— Let 7 r be a finite F-just en path. Suppose the last state Q of n admits an action 
a^hU 381. Then Q |= en(v) for an abstract transition v with I(v) =a.qL YC 
Y\J381. So 7 r is iz-enabled, contradicting the l-justness era of 7 r. 

— Suppose 7 T is a F-just en path of a process P\Q. Then Y includes all labels of 
abstract transitions v for which 7 r is ^-enabled. By Observation IE . 1 1 there are 
paths it 1 for i=l,2 with 7 r ^ tti\tt 2 - Let X be the set of labels of abstract 
transitions v for which tt\ is 7 /-enabled, and let Z be the set of labels of 
abstract transitions v for which 7 T 2 is ^-enabled. If tt\ is ^-enabled then 7 r is 
z^|_-enabled by Definition IE. 5 1 Since t[v |_) = t(v) this implies that X C Y. In 
the same way it follows that Z CY. 

Now suppose that X n Z 7 ^ 0. Then 7 r, is ^-enabled, for i= 1, 2, for abstract 
transitions with l(y 1 ) = c £ 3ft? and ^(^ 2 ) = c. So by Definition IE. 5 1 7r is 
77 i|i/ 2 -enabled, in contradiction with £(vi\i/2) = t $. Y C 3ft. We therefore 
conclude that In Z = %. 

By definition, tt\ is X-just en and 7 T 2 is Z-just en . 

— Suppose 7 T is a F-just e „ path of a process P\c. Then Y includes all labels of 
abstract transitions v for which 7 r is i/-enabled. By Observation IE.21 there is 
a path ft with 7 r ^ ft\c. Let X be the set of labels of abstract transitions v 
for which 7 r' is ^-enabled. If 7 r' is rz-enabled and c 7 ^ t(v) 7 ^ c then 7 r is v\c- 
enabled by Definition IE. 5 1 Since l{v\c) = i{v) this implies that X \{c, c} C Y. 
It follows that 7 r' is X-just en , and hence FU{c, c}-just en . 

— Suppose 7 T is a l-just en path of a process P[f]. Then Y includes all labels 
of abstract transitions v for which 7 r is i^-enabled. By the remark after Ob¬ 
servation [ET2l there is a path ft with 7 r ^ 7 r'[/]. Let X be the set of labels 
of abstract transitions v for which ft is 7 /-enabled. If ft is ^-enabled then 7 r 
is i/[/]-enabled by Definition IE. 5 1 Since t(V[/]) = /(^(^)) this implies that 
f(X) C Y. It follows that ft is X-just en , and hence / _ 1 (F)-just era . 

— Suppose ft is a suffix of an F-just en path 7 r. Then Y includes all labels of 
abstract transitions v for which 7 r is i/-enabled. By the last clause of Defini¬ 
tion [ET 5 I Y thereby includes all labels of abstract transitions v for which ft 
is !/-enabled. Hence ft is F-just en - 

Since F-justness is the largest family of predicates that satisfies those require¬ 
ments, F-justness en implies 1-justness. □ 

Henceforth, we write 7r \= <j> if the LTL formula <f> holds for the path ir in U, that 
is, if 7 r satisfies <j>. Note that a finite path satisfies FG (f> if <f> holds in its last 
state. 

Proposition E.7. If tt is v-enabled then 1 r \= FG en(v). 

Proof. We apply induction on r/-enabledness of a path 7r in U, using the five 
clauses of Definition IE.51 

Suppose 7 r is rz-enabled because it is finite and its last state Q £ Exabc 
enables v. Then 7r \= FG en(v). 

Suppose 7 r 7 Ti|7 T2 is ^-enabled because v = z^i|_ and tt\ is iq-enabled. By 
induction 7Ti |= FG Let ft x = U0U1U2 ■ ■ ■ be a suffix of 7Ti with ft x |= 

G en(y 1 ). Then, for all i > 0, m \= en(vi) and thus m\v |= en(v i|_) for any state 
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Ui|v of U by Lemma ID. 71 Therefore 7 r |= FG en(v). The case that v = -ji /2 and 
7T2 is ^ 2 -enabled goes likewise. 

Suppose 7T ^ 7i"i177"2 is j/-enabled because v = v\\v 2 and tv j is t'i-enabled 
for i = 1,2. Then <?(^i) = ^(^ 2 ) G By induction 7 q |= FG en(^). Let 
7r( = uqU\U 2 ■ ■ ■ and 7 ^ = vqV\V 2 ■ ■ ■ be (finite or infinite) suffixes of 7Ti and 
7T2 with 7r' |= G en{v.i) for i = 1,2. Then, for all j,k > 0, Uj \= en(v{) and 
Vk \= 01 ( 1 / 2 ) and thus Uj\vk \= en(i/i\i/ 2 ) by Lemma lD.81 whenever Uj\vk is a 
state of U. Therefore 7r |= FG en(v). 

Suppose 7 r ^ ir'\c (with c G Jf?) is !/-enabled because v = v'\c and 7 r' is v'- 
enabled. Then c ^ £( 1 /) ^ c. By induction, 7r' |= FG en(v'). Using Lemma TP. 91 
one finds 7r |= FG en(v). 

Suppose 7T ^ 7r'[/] is i/-enabled because v = i/[f] and tv' is i/'-enabled. By 
induction tv' |= FG en(v'). Using Lemma TP. 101 one finds 7r |= FG en(v). 

Suppose 7r is ^-enabled because it has a suffix tv' that is i/-enabled. Then, by 
induction, 7 r' |= FG en(v). Hence tv |= FG en(v). □ 

The following result is the “<=”-direction of Theorem 14.21 

Proposition E.8. If n is a path in U with tv \= FG en(v) => GF v for each 
abstract transition v with I(v) € J'lU {r}, then rv is just in the sense of Defini¬ 
tion ^, l] 

Proof. By definition no state P G Exabc satisfies u. So, any state of U that could 
satisfy v as well as en( v) needs to be a derivation £. Assume £ |= en(u). Then 
there is a representative x of zq i.e., v = [x] = , with x '—* £■ Using Lemma [D. 121 
we get v = [x]= 7 ^ [£] = . In case £ would also satisfy 1 /, we have, by definition, 
v = [£]=, which is a contradiction. Hence there is no abstract transition v and 
state u in U for which the propositions en(i/) and v both hold. Consequently, 
the formula FG en(v) =>■ GF v is equivalent to -fFG en(v). 

Let 7r be a path in U with 7r f= -PG en(v) for each v with l(v) G SS\ U {r}. 
Then, by Proposition IE.71 n is v-e nabled for no v with l(v) G SS\ U {r}. Hence, 
by Proposition IE.61 tv is J^-just. Therefore, by Proposition IE.41 fv is j^-just, 
and hence just. □ 

E.2 The “^’’-direction 

E.2.1 On the targets of derivations enabling abstract transitions 

Lemma E.9. If £ |= en(v |_), £ |= en(-\v) or £ |= en(v\\v 2 ) for a derivation £ 
and abstract transitions v,v-\_,V 2 , then target (£) has the form P 1 JP 2 . 

Proof. Since £ |= en(v) means that X ^ £ for a representative \ °f the lemma 
can be rephrased as: “If x ''—’ £ for a representative x of an abstract transition 
v |_, -\v or i/i\i/ 2 , target(£) has the form P 1 IP 2 .” We prove this statement by 
structural induction on x- 

— Let x be x'\Pj P\x' or Xi|,\ 2 - By the definition of £ must then have the 
form Q\C, £'|Q or £i|£ 2 . In each of these cases target(Q) has the form Pi|P 2 . 
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Let x = x'+P- Then ( must have the form ('+P with x! w * (' by the 
definition of '—v Since x is a representative of an abstract transition z/|_ or 


r'l 1 1 ^ 2 , so is x!■ By induction, target((') has the form Pi|P 2 ■ By rule (Sum-l) 
target(() = target (£'), and thus of the form Pl|P 2 . 

The cases x = P+x' and X = A:x' proceed likewise. 


As x represents an abstract transition ^|_ or ^i|^ 2 , it cannot have any other 
form. □ 


Lemma E.10. If ( \= en(y\c) or £ \= en(^[/]) ; then target(Q has the form 
P\c, and P[f], resp. 


Proof. The first statement can be rephrased as: “If x C for a representative 
X of an abstract transition u\c , then target{C,) has the form P\c.” We prove this 
statement by structural induction on x". 

— Let x = x'\ c - By the definition of ^-* we have ( = ('\c with x' w * ('■ Hence 
target (Q has the form P\c. 

— Let x = A-.x' ■ Then £ must have the form A:£' with x' C by the definition 
of Since x is a representative of an abstract transition u\c, so is x' ■ By 
induction, target((') has the form P\c. By rule (Rec) target(Q = target(('), 
and thus of the form P\c. 

— The cases x = x'+P and X = P+x' proceed likewise, using (Sum-l) and 


(Sum-r) 


— As x represents an abstract transition z/\c, it cannot have any other form. 
The proof of the second statement proceeds likewise. □ 


E.2.2 Decomposing enabled abstract transitions 

Observation E.ll. Using Observation any representative x of u _ such 
that src(x) = Pi|P 2 is of the form x!\P% with x' a, representative of v, or x'|? 
with x! a representative of v and I{x') = I{x) G SS\. Moreover src(x') = Pi- 

Lemma E.12. If u\\u 2 (= en(u |_) for a state u\\u 2 of U, then u\ \= en(V). 

Proof. We make a case distinction based on whether Ui is a process or a deriva¬ 
tion. 

Suppose P 1 IP 2 |= en{v |_). Then Pi|P 2 = src(x) for a representative x of z/|_. 
By Observation lE.lTl it has the form x'\ v with x' a representative of v and 
src(x') = Pi- Therefore Pi |= en(v). 

Suppose P 1 IC 2 1= en(z'l-) with src (Pi |C 2 ) = Pi|P 2 - Then x Pi|C 2 for a 
representative x of v \- By Observation 1C.51 src(V ) = src(Pi|£ 2 ) = Pi|P 2 - So, 
by Observation IE. 1 ll it is has the form x'\ v i with x! a representative of v and 
src{x') = Pi- Therefore Pl \= en{y). 

Suppose £1 |u 2 |= en(y |_) with src(£i|u 2 ) = Pl|P2- Then x £i|m 2 for a 
representative x of v\_. By Observation 1C.51 src(y) = src(£i|M 2 ) = Pl|P 2 . So, 
by Observation IE.Ill it is has either the form x'\P ‘2 or x # |? (I(x') G with 
x' a representative of v. So, X' , |p 2 £i|n 2 or xl^ Cil u 2 and hence, by 

Definition 1C. 41 x! ^ Ci- Since a representative of v, £1 |= en(v). □ 
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Lemma E.13. If u\\u 2 \= en(Vi|i/ 2 ) for a state u\\u 2 of U , then Ui \= en(vi) 
(i=l,2). 

Proof. We make a case distinction based on whether Ui is a process or a deriva¬ 
tion. 

Suppose Pl|P 2 h en {v 1 1)- Then Pi|P 2 = src(y) for a representative y of 
v i|i/ 2 . By Observation IE. ll it has the form vi\i> 2 - Since it is a representative of 
v i|i/ 2 , it has the form xi|x' 2 ) with \i a representative of Vi (i=l, 2). Furthermore, 
src{xi) = Pi- It follows that Pi \= en{vf) (i=1,2). 

Suppose P 1 IC 2 1= en{yi\v 2 ) with src(Pi| £ 2 ) = Pl|P 2 . Then x P 1 IC 2 for 
a representative x °f By Observation 1C. 5 1 src(y) = src(Pi|£ 2 ) = Pi|P 2 . 

So, by Observation IE. 11 x has the form V\\v 2 - Since it is a representative of 
v\\v 2 1 it has the form xi|X 2 i with \i a representative of Vi (i=l,2). Moreover, 
f'(Xi) = = ^(^ 2 ) = f'fe) € So X 1 IX 2 P 1 IC 2 and by Definition IC.4I 

src(xi) = Pl and y 2 £ 2 - Since Xi (*=T, 2) is a representative of Vi, Pl (= en{v 1 ) 
and <^ 2 (= en(^ 2 ). 

The case C 1 IP 2 follows by symmetry. 

Suppose C1IC2 |= en(^i|^ 2 ) with src(£i|£ 2 ) = Pl|P 2 - Then x v -* C1IC2 for 
a representative x of ^i|^ 2 . By Observation 1C.51 src(y) = src(Pi|£ 2 ) = Pi|P 2 . 
So, by Observation IE.ll y has the form vi|w 2 . Since it is a representative of 
vi\v 2 , it has the form xi|X 2 ; with \i a representative of Vi (i=l,2). Moreover, 
^(Xi)=^(^i)=^(^2)=^(X2)e^. So xi|X 2 C1IC2 and by Definition El Xi C i 
(i= 1,2). Since x* is a representative of 1 ^, £i \= en{vi). □ 

Lemma E.14. If u \= en(v\c ) for a state u of IA of the form u'\c, then u' |= 
en(v). 

Proof. We make a case distinction based on whether u is a processes P or a 
derivation £. 

Suppose P f= en(y\c). Then P = src(x) for a representative x of v\c. Since, 
by assumption, P is of the form P'\c, Observation [ET2] says that y is of the form 
x'\c with src(y') = P’■ Since x = x'\ c is a representative of v\c, yf must be a 
representative of v. Hence P' |= en(v). 

Suppose £ |= en(u\c). Then x C f° r a representative x of I/ \c. Since, 
by assumption, £ is of the form £'\c, src(() must be of the form P'\c. By Ob¬ 
servation EH src(x) = src(£), so by Observation IE. 2 1 v is of the form x'\c. 
Since x = x'\ c is a representative of v\c, x' must be a representative of v. As 
x'\c • £'\c, we have yf £'. Thus £' |= en{v). □ 

Lemma E.15. If u[f] \= en(u[f]) for a state u of U, then u \= en{v). 

Proof. Exactly as above, using an analogue of Observation lE.2l for relabelling. □ 

E.2.3 ly-enabled paths in S 

Definition E.16. A path p in S is u-enabled, for an abstract transition v , if 
either it is finite and its last state Q £ Exabc satisfies Q |= en(v), or it is 
infinite and has a suffix p' such that £ |= en(y) for all derivations £ with £ a 
transition in p'. 
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Lemma E.17. If a path p in S is Y-just and u-enabled then £(u) £ Y. 

Proof. If a finite path p in S is (/-enabled, its last state Q £ Exabc satisfies 
en(v), and thus Q The first clause of Definition |4J] (1-justness) tells that 
l(v) £ Y. 

For infinite paths p , we apply structural induction on v. Let p be an infinite 
path that is 1-just and (/-enabled, and let p' be a suffix of p, such that £ \= en(u) 
for each derivation £ with £ a transition in p' . Moreover, P \= en(y) for each 
state of P on p' , using Proposition ID.Ill and the definition of P Let £o be a 
derivation of the first transition in p\ and let p" be the suffix of p' starting from 
Q := target (£o). 

Let v = -PP for a £ Act and P £ Exabc- Since no representative \ of v is 
concurrent with any derivation £, it follows that p' contains no transitions, and 
hence consists of a single state only. This contradicts the presumed infinity of p. 

Let v = Since £o |= en(v i|_), by Lemma IE.91 Q has the form Pi|P 2 . 
By Definition 14.11 p" can be decomposed into an X-just path pi of Pi = Pi 
and a Z-just path pi of Pi = Pi such that Y D XU Z and Xfl Z = 0. By 
Observation lE.ll and the definition of P all states u of p" as well as all derivations 
u of transitions in p" have the form u\\ui. Since each such u\\ui satisfies en(v\ |_), 
by Lemma IE.121 ai |= en(yi). It follows that ui \= en(v 1 ) for each state u\ in 
pi and for each derivation u\ of a transition in p\. Hence p\ is (/i-enabled. By 
induction I{vi) £ X. So I{y) = i{yi) £ X C Y. 

The case v = -\vi follows by symmetry. 

Let v = vi\vi. Then 1 ) = i^i) £ Jtf. Since £0 |= en(vi\vi), by Lemma I eT91 
Q has the form P 1 IP 2 . By Definition 14.11 o" can be decomposed into an X-just 
path pi of Pi = Pi and a Z-just path p 2 of P 2 = P 2 such that Y D XUZ and 
XnZ = 0. By Observation IE. II and the definition of p all states u of p" as well 
as all derivations u of transitions in p" have the form iti|it 2 . Since each such 
ui|u 2 satisfies ew(i/i|r , 2 ), by Lemma lE.131 n. \= eniyi) (i= 1,2). It follows that 
Ui \= en(vi) for each state Ui in pi and for each derivation Ui of a transition in 
Pi. Hence pt is ^-enabled. By induction I[yi) £ X and I(v 1 ) = £(^ 2 ) £ Z, in 
contradiction with XnZ = 0. Therefore, this case cannot occur. 

Let v = v'\c (with c £ JY 3 ). Then c ^ £(j/) / c. Since £0 |= en(v'\c), by 
Lemma IE.101 Q has the form P\c. By Definition 14.11 p” can be decomposed 
into a FU{c}-just path p’" of P = P. By Observation IE.21 all derivations £ of 
transitions in p" have the form £'\c. Since each such £'\c satisfies en(i/'\c), by 
Lemma IE. 141 C |= en{v'). It follows that £' ^ en{y') for each derivation £' of a 
transition in p"'. Hence p'" is i/'-enabled. By induction I{y') £ Y U {c}. Since 
I(y') / ewe obtain I(y ) = t{y') £ Y. 

Let v = v'[f}. Since £0 (= en(v'[f}), by Lemma lE.101 O has the form P[/]. 
By Definition 14.11 o" can be decomposed into a / 1 (F)-just path p'" of P = P. 
By the relabelling variant of Observation IE.21 all derivations £ of transitions in 
p" have the form £'[/]. Since each such £'[/] satisfies en(v'[f]), by Lemma lE. 151 
£' |= en{v'). It follows that £' \= en(v') for each derivation £' of a transition in p"'. 
Hence p"' is (/-enabled. By induction I(y') £ f 1 (Y). So t{v) = f(I{v')) £ Y. □ 
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The following result directly implies the “=>•”-direction of Theorem 14.21 

Proposition E.18. Let p be a just path in S. Then p = ft for a path it in U 
that satisfies 7 r FG en(u) for each abstract transition v with l(v) £ U {r}. 

Proof. First, suppose that p is a finite just path in S. By Definition Id. II it ends 
in a state Q £ Exabc that admits actions from J4? U £$? only. Pick any path 7 r 
in U with n = p. Then n ends in Q as well. Hence 7r \= FG en(y) for no abstract 
transition v with £(v) £ 2$\ U {r}. 

Next, consider the case that p is infinite. There are countably many abstract 
transitions. Let {vf)°fL 0 be an enumeration of the abstract transitions v with 
l[y) £ SS\ U {r}, such that each such v occurs infinitely often in this sequence. 

With induction on i £ N, we construct finite paths 7iy in U such that 7 q will 
be a strict prehx of 7 tj when i < j, and rti is a prefix of p for each i £ N. 

Let 7To be an arbitrary finite path in U with ffo a prefix of p. Given 7 ly, let Q 
be an arbitrary derivation such that Ci \f=- en(vi) and occurs in p past the prefix 
7rj. Such a (j must exists, as otherwise p would be ^-enabled, which contradicts 
Lemma fE. 171 (Remember that by assumption p is just.) 

We obtain 7Tj +1 by extending 7 ly in a way such that 7r i+1 is a prefix of p up 
to and including Q and its target state; the last derivation of 7Tj + i is set to £*. 
All derivations different from Q that are not part of 7 q can be chosen arbitrarily, 
under the restriction that 7Ti + i is a prefix of p. 

Now 7 r := limi_).oo 7q exists and satisfies p = ft. By construction, tt ^ 
-iFG en(y) for any abstract transition v with l(v) £ 3B\ U {r}. □ 




